Turtini

Security & Data Governance

Protected at every layer.Verifiable, not just claimed.

Turtini is built on Google Cloud, Firebase, Stripe, and Cloudflare — each with their own certifications. On top of that we run our own tenant isolation, hash-chained audit trail, content moderation, code scanning, and SIEM. Every Wally write previews before it commits and is reversible for 24 hours.

Report a vulnerabilityRequest security docs

Platform Security

What we built in.

These aren't vendor certifications — they're security controls implemented directly into the Turtini platform.

Encryption everywhere

Every byte you push to Turtini is encrypted in transit (TLS 1.2+) and at rest (AES-256, Google Cloud-managed keys). Sensitive fields like API keys and OAuth tokens are also wrapped with envelope encryption before they hit Firestore.

  • TLS 1.2+ in transit
  • AES-256 at rest
  • Envelope-encrypted secrets for API keys + OAuth tokens

Tenant isolation at the database layer

Every read and write goes through Firestore Security Rules that scope on org membership. Cross-org access isn't prevented by app code — it's structurally impossible. A bug in our application can't leak one org's data to another.

  • Org-scoped rules on every collection
  • Owner / admin / editor / member roles enforced
  • Verified end-to-end via the Firestore Rules Test API

Hash-chained audit trail

Every accounting write — journal entry, month-end close, period lock — is appended to a SHA-256 hash chain per org. Any retroactive edit breaks the chain and is immediately detectable. Auditors get a verifiable transcript without trusting the application layer.

  • SHA-256 hash chain for accounting writes
  • Tamper-evident — any edit invalidates downstream hashes
  • Wally + UI both surface the verification command

Wally writes preview, undo, and audit

Wally — Turtini's built-in AI — never silently mutates your data. Every write previews before it commits, lands in your org's audit log, and is reversible for 24 hours. Read-only AI prompts cost tokens; writes also leave a paper trail.

  • Preview-and-confirm on every Wally write
  • 24-hour undo on every action
  • Per-org Wally activity log with prompt + tool call + diff

Image + content moderation pipeline

Every image uploaded to Turtini — site assets, profile photos, marketplace listings — passes through Google Cloud Vision SafeSearch before it can be displayed. Flagged content sits in the admin moderation queue; only approved images render to other users.

  • Google Cloud Vision SafeSearch on every upload
  • pending → approved | rejected lifecycle, enforced at render
  • Admin moderation queue with one-click approve / reject

Three-layer platform conduct compliance

AUP gate at signup, automated product-text scan on every public-page publish, and nightly conduct monitoring across all org-generated content. Violations route to a shared moderationQueue with documented thresholds (0.75% warn / 5% suspend).

  • Acceptable Use Policy gate at registration
  • Product-text scan on Builder publishes
  • Nightly conduct sweep with documented thresholds

Marketplace bundle code scanning

Every module bundle uploaded to the Turtini Marketplace is scanned for 30+ threat patterns — obfuscation, crypto miners, shell execution, data exfiltration — before a human reviewer ever sees it. Risk score and findings ride alongside the submission.

  • Pre-upload static scan on every module bundle
  • Risk score + findings surfaced to reviewers
  • Bundles flagged "high risk" blocked from approval workflow

Built-in SIEM

Turtini ships its own Security Information & Event Management module that captures, correlates, and alerts on platform events — auth, role changes, integration connects, marketplace installs, anomalous Wally activity. Your security team doesn't need a separate Splunk.

  • Real-time event ingestion + alert rules
  • Per-org event log with full retention
  • Auto-escalation to org admin email + in-app banner

Payment data — not on our infrastructure

Turtini never stores, processes, or transmits raw cardholder data. All payment handling delegates to Stripe, a PCI DSS Level 1 service provider. We retain only the last-4, brand, and expiry for display.

  • No raw card data on Turtini systems
  • Stripe PCI DSS Level 1 + Stripe Connect for payouts
  • Tokenized payment methods only

Infrastructure

Certifications inherited from our providers.

Turtini runs on Google Cloud + Firebase, processes payments via Stripe, and serves traffic through Cloudflare. The infrastructure layer inherits each of their compliance postures.

Google Cloud

All Turtini application data is stored and processed on Google Cloud.

SOC 2 Type IIISO 27001FedRAMP ModerateISO 27017ISO 27018

Firebase

Real-time database, authentication, file storage, and Cloud Functions all run on Firebase.

SOC 2 Type IIISO 27001GDPR-compliant infrastructure

Stripe

All payment processing handled by Stripe. Turtini never touches raw card data.

PCI DSS Level 1SOC 2 Type IIISO 27001

Cloudflare

DNS, edge caching, and DDoS protection for sites + custom domains.

SOC 2 Type IIISO 27001PCI DSS

Infrastructure-level certifications apply to the underlying cloud services. Turtini's own compliance roadmap is SOC 2 Type II → CMMC Level 2 → FedRAMP Li-SaaS for the application layer — covering our own policies, procedures, and controls. SOC 2 readiness is in progress. Contact us for current status; federal buyers can deploy the data plane in their own VPC today (see Air-gap deployment above).

Compliance Alignment

Mapped to NIST CSF.

Posture alignment, not certification — but a recognized reference point for enterprise and government procurement.

Identify
  • Asset inventory via org + module registry
  • Risk scoring on uploaded content + marketplace bundles
  • GL dimensions tag every transaction with owner + module
Protect
  • RBAC enforced at the database layer
  • Encryption in transit + at rest
  • Envelope encryption for secrets
  • Least-privilege Firestore Security Rules
Detect
  • SIEM event monitoring with real-time alerting
  • Automated content + code scanning
  • Conduct sweep across public org content
  • Hash-chain verification of accounting writes
Respond
  • Admin moderation tools for content removal
  • Marketplace bundle review before approval
  • SIEM alert escalation
  • Wally 24-hour undo on platform writes
Recover
  • JSON export of every org record on demand
  • Builder sites exportable to GitHub as static files
  • 30-day grace + 365-day soft-purge recovery on org cancellation
  • Org pause / resume with no data loss

Data Governance

How your data is handled.

Multi-org data isolation

Every org operates in a strict data silo. Firestore Security Rules enforce org-scoping at the database layer — no application-level bug can expose one org's data to another.

No cross-org data sharing

We do not aggregate, sell, or expose individual org data with other orgs on the platform. Your CRM, financial records, and documents stay yours.

Data residency

Application data is stored in Google Cloud's us-central1 region. Firestore, Firebase Storage, and Cloud Functions all operate within this boundary.

Customer-controlled AI endpoints

Wally and every customer-facing AI surface (Builder Docs rewrites, Builder Sites generation and review, AI Builder Review, Builder Design, drafts, translations) can be pointed at an Anthropic- or OpenAI-compatible endpoint your compliance team operates — AWS Bedrock, Bedrock GovCloud, Google Vertex AI in any region, vLLM, Red Hat AI Inference Server, Azure OpenAI, or your own gateway. Prompts and responses never traverse Turtini's infrastructure on the inference path. Configured per-org from Settings → Wally model; keys live in Google Secret Manager, never in our database.

Air-gap deployment (Enterprise)

Federal and regulated buyers can deploy Turtini's data plane into their own VPC via the Firestore portability shim — a Debezium-streamed Postgres replica with declared per-domain schemas. Pair with a BYO inference endpoint and the result is a Turtini that runs inside your boundary with no callbacks to our central tenancy on the hot path. Contact us for the deployment guide.

Employee-owned records

Paystubs and tax documents stay attached to the person, not the org. Employees keep access to their own pay history after they leave an org.

Third-party access

Turtini does not grant third parties access to org data without explicit authorization. External integrations (Gmail, Google Calendar, GitHub) use OAuth and act only on behalf of the authenticated user, with the narrowest scopes that work.

Retention + deletion

Org admins can pause, cancel, or fully purge their org from Settings. Cancellation runs through a 30-day grace + 365-day soft-purge window before any data is permanently deleted. JSON export is always available.

Responsible Disclosure

Found a vulnerability?

If you believe you've discovered a security vulnerability in Turtini, report it responsibly. We review every report promptly and aim to resolve confirmed issues within 30 days.

[email protected]

Please don’t publicly disclose vulnerabilities before we’ve had a chance to address them.

Need our security packet for procurement?

Enterprise and government buyers can request the security questionnaire, infrastructure diagram, and compliance artifacts directly.

Contact securityPrivacy policy

Turtini uses cookies to improve your experience, analyze site traffic, and personalize content. By clicking Accept, you consent to our use of cookies. Privacy Policy

Wally

Your Turtini assistant

Hi, I'm Wally!

Ask me anything about Turtini — features, pricing, how things work, and more.

or

Already have an account? Sign in

Wally can make mistakes — verify important info.